diff options
author | Lucas Charles <me@lucascharles.me> | 2019-09-10 14:37:51 -0700 |
---|---|---|
committer | Lucas Charles <me@lucascharles.me> | 2019-09-10 14:45:04 -0700 |
commit | d7a7ef4bd0a344e27ff3c35c70f594c233389d96 (patch) | |
tree | 370a03c93220fe1e3469c5e790f0b95d2be6ccea | |
parent | 0498ec89a1b44caad91603215d1ea96aaa4e1eb8 (diff) | |
download | gitlab-ce-65192-enable-modsecurity-in-ingress-ce.tar.gz |
Enable modsecurity in nginx-ingress deployments65192-enable-modsecurity-in-ingress-ce
Update the default ingress chart to enable modsecurity along with the
default Core Rule Set.
This functionality uses the default settings of
"detection-only" mode to log requests to the audit log but blocks no
traffic by default
Fixes https://gitlab.com/gitlab-org/gitlab-ce/issues/65192
-rw-r--r-- | app/models/clusters/applications/ingress.rb | 18 | ||||
-rw-r--r-- | changelogs/unreleased/65192-enable-modsecurity-in-ingress-ce.yml | 5 | ||||
-rw-r--r-- | doc/user/clusters/applications.md | 21 |
3 files changed, 44 insertions, 0 deletions
diff --git a/app/models/clusters/applications/ingress.rb b/app/models/clusters/applications/ingress.rb index 50def3ba38c..8654393dc95 100644 --- a/app/models/clusters/applications/ingress.rb +++ b/app/models/clusters/applications/ingress.rb @@ -35,6 +35,10 @@ module Clusters 'stable/nginx-ingress' end + def values + content_values.to_yaml + end + def allowed_to_uninstall? external_ip_or_hostname? && application_jupyter_nil_or_installable? end @@ -67,6 +71,20 @@ module Clusters private + def specification + return {} unless Feature.enabled?(:ingrees_modsecurity, cluster.project) + + { + "controller" => { + "config" => { "enable-modsecurity" => "true", "enable-owasp-modsecurity-crs" => "true" } + } + } + end + + def content_values + YAML.load_file(chart_values_file).deep_merge!(specification) + end + def application_jupyter_nil_or_installable? cluster.application_jupyter.nil? || cluster.application_jupyter&.installable? end diff --git a/changelogs/unreleased/65192-enable-modsecurity-in-ingress-ce.yml b/changelogs/unreleased/65192-enable-modsecurity-in-ingress-ce.yml new file mode 100644 index 00000000000..8a2e9fae1c1 --- /dev/null +++ b/changelogs/unreleased/65192-enable-modsecurity-in-ingress-ce.yml @@ -0,0 +1,5 @@ +--- +title: Enable modsecurity in nginx-ingress apps +merge_request: 32905 +author: +type: added diff --git a/doc/user/clusters/applications.md b/doc/user/clusters/applications.md index e43b1ca6826..518094d2cc9 100644 --- a/doc/user/clusters/applications.md +++ b/doc/user/clusters/applications.md @@ -117,6 +117,27 @@ balancing, SSL termination, and name-based virtual hosting. It acts as a web proxy for your applications and is useful if you want to use [Auto DevOps](../../topics/autodevops/index.md) or deploy your own web apps. +#### Modsecurity Application Firewall + +By default we enable +[`modsecurity`](https://kubernetes.github.io/ingress-nginx/user-guide/nginx-configuration/annotations/#modsecurity) +to check requests against [OWASP's Core Rule Set](https://www.modsecurity.org/CRS/Documentation/). +This feature runs in "Detection-only mode" unless configured and is viewable by +checking your ingress controller's modsec log for rule violations. +This can be done by tailing the audit log on your ingress-controller pod: + +``` +kubectl -n gitlab-managed-apps exec -it ingress-nginx-ingress-controller-8675309-bz5n4 -- tail -f /var/log/modsec_audit.log +``` + +There is a small performance overhead by enabling modsecurity, however, +if this is considered significant for your application you can disable this +using a feature flag by running the following command within the rails console: + +```ruby +Feature.disable(:ingress_modsecurity) +``` + NOTE: **Note:** The [stable/nginx-ingress](https://github.com/helm/charts/tree/master/stable/nginx-ingress) |